New Member

Question

FortiSwitch: Spanning Tree Issue - Port disabled

Forum|Forum|3 years ago
December 5, 2022
9 replies
59562 views

Hi

I have a problem with spanning tree and ports being disabled. I don't know what to do and it is annoying me at times and prevents me from working. Maybe someone has an idea for further debugging.

My client (macOS) is directly connected to a FortiSwitch (124E), which in turn is directly connected to my 40F (trunk). There are some VLAN configured. Occasionally, the port (port20) my client is on gets disabled every few seconds and I lose connectivity.

FortiOS is on 7.0.8 and FortiSwitch 7.0.5. The network setup is very simple.

            +-----------+              +-----------+              +---------+             |           +--------------+           |              |         | WAN +-------+    40F    |    TRUNK     |   124E    +--------------+   MAC   |             |           +--------------+           |              |         |             +-----------+              +-----------+              +---------+

The error messages are as follows:

primary switch port port20 has gone down primary port port20 instance 0 changed role from designated to disabled primary port port20 instance 0 changed state from forwarding to discarding primary switch port port20 has come up primary port port20 instance 0 changed role from disabled to designated

What I have tried so far:

Various FortiSwitch port settings (STP, BPDU Guard, Root & Loop Guard, disable, etc.).
Disabling the trunk to the FortiGate (connectivity only via one link).
set the speed settings to "1Gbits only" or "auto
disable the WLAN interface (Ethernet only) on the client
various reboots
firmware upgrades (FTG and switch)

The error also occurred with other firmware. On the client there is a desktop hypervisor (Fusion) and one VM in bridge mode, but it is disabled. I am not sure if this could have an impact but it does not fit together in time

Any ideas for further debugging?

Thanks in advance.

distillednetwork

Explorer II

I don't think the spanning tree messages are anything more than the normal changes to STP state when the port goes down and up. How do you recover, do you enable the port again from the software or unplug it?

The only other item I could think of is if you have not tested it, disable Edge Port on port20. If the port is going up and down constantly or numerous times in a minute, you may also want to test the physical cables to verify they are good.

Donnie_BrascoAuthor

New Member

Thank you, distillednetwork. I should have mentioned that I also changed the physical ports on the switch and the cable already. The port is usually back online after a couple of seconds by itself. Sometimes only to be switched off again directly...

I'm not sure if I had already disabled Edge Port, but felt that I had already tried every setting imaginable. I have now disabled all features once and observe what happens.

Donnie_BrascoAuthor

New Member

The logs still show up and the port gets disabled. Absolutely no security features (STP) are active on the port at the moment.

Any ideas?

sachitdas_FTNT

Staff

Hi,

From what I understand is the issue specific to Macbook? Do other devices like windows laptops also witness the same problem?

Donnie_BrascoAuthor

New Member

Hi Sachit

Thanks for your reply.

It almost looks like that's a common factor. The problem occurs on my Macmini (personal) as well as on my Macbook Pro (business). However, I don't have any other desktop PCs that I use (except a virtualized Windows desktop, which I start only every few weeks). Everything else are servers (Linux).

I had already switched off WiFi on the devices, as I suspected a roaming problem. All without success.

Do you know of any other such problems with macOS?

Best,

Donnie

t-dalt13

New Member

Hello Donnie,

I have the same problem with my fortigate -> fortiswitch -> fortiAP.

On port goes to ap STP periodically changes state, port goes down and ap reboots.

Do you find the solution?

ac1

Explorer III

Hi Donnie,

I have the same situation between a FortiSwitch and an Alcatel-Lucent switch. Every second I have these logs:

The clients connected to the Alcatel switch cyclically lose packets towards the resources connected to the FortiSwitches.
In the first configuration the FortiSwitch and the Alcatel were connected with a LACP and I thought it was a STP problem, but now there is only one cable connected and the root bridge is FortiSwitch, there are no loops.

I have opened a support ticket, we will do a remote session.

ac

Albert_Llena

New Member

Hello All,

I just recently migrate a factory and we are seeing the same issue, it is hard affecting production. It would be great if there are news about this issue. Thanks in advance

ac1

Explorer III

Hi Albert,
I did the remote session with Fortinet support. The problem appears to be an incompatibility between RSTP and MSTP. The FortiSwitches only support MSTP which is backwards compatible with RSTP, but apparently it's not talking properly with RSTP (in my case these are Alcatel-Lucent switches).
So MSTP goes through all spanning-tree phases cyclically, that's why I see logs of STP status continuously.
To resolve it, MSTP must also be configured on the switches in cascade to FortiSwitch.

RafaelAlmonteTIC

New Member

Greetings,

I would like to know if you were able to solve this problem, because we are experiencing the same thing in the institution where I work.

jokes54321

New Member

One of my network admins tracked it down in our environment. As I recall, a switch in a Dell VRTX had a lower STP priority than the FortiSwitches and kept taking the root role. Once he increased the STP priority on the VRTX switch, the problem went away.

Genobaseball10

Explorer

Hi Donnie! This may not be a spanning tree issue. Spanning tree may be reacting to the port just going down. Lets experiment with different cables, different hosts but keeping the same switch and if possible, using the same port and see if our results change.

Donnie_BrascoAuthor

New Member

Sorry ignoring your requests @t-dalt13 , @ac1 , @RafaelAlmonteTIC. Maybe the approach of @jokes54321 will help?

In the meantime I bought a new FortiGate and also made several upgrades (Switches & FortiOS). Fortunately, the problem has disappeared in the meantime, although the cabling is still the same. Unfortunately, I don't know exactly what the cause was.

@Genobaseball10 Cables were replaced and the problem existed only with a single host.

Genobaseball10

Explorer

Nice! I'm glad we narrowed down our problem child! Now time to figure out whether its the OS or a physical issue with the port! That's a bit out of my realm but if you want a second set of eyes, I'd be more than willing to do my best to help!

ATechGuyThatCan

New Member

I had the same issue. It would help if the log file stated a potential repair option, check the cables for damage. That solution worked for me...

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded